Actual Domain Emails Are Sent Through

We send a lot of emails internally with Marketo. We got a new spam filter and all our Marketo emails no have Marketing in front of the subject line now. Many of the emails we send internal come from our CEO. Our IT team needs to add the domain but needs to know where the actual email domain they come from is. We have our DKIM and SPF setup but what’s the actual domain the emails come from?

We have our DKIM and SPF setup but what’s the actual domain the emails come from?

Look in the headers of a received message and you'll see the envelope sender (MAIL FROM, which your IT team should be filtering on) as well as the From: header (which they may try to filter on, but I wouldn't advise it as it's trivially forged).

Even better would be filtering on DKIM signed mail from your domain. That is not forgeable and has no collateral damage if you whiltelist it. But may not be possible w/your mail infrastructure.

Note if you set up SPF and actually needed SPF then you'd already know the envelope sender domain: it's the domain for which you set up SPF! However, many people set up SPF when they didn't need to, since they're using a shared Marketo instance. In that case the SPF record is meaningless and can't be used to determine the sender domain.

We have our DKIM and SPF setup but what’s the actual domain the emails come from?

Look in the headers of a received message and you'll see the envelope sender (MAIL FROM, which your IT team should be filtering on) as well as the From: header (which they may try to filter on, but I wouldn't advise it as it's trivially forged).

Even better would be filtering on DKIM signed mail from your domain. That is not forgeable and has no collateral damage if you whiltelist it. But may not be possible w/your mail infrastructure.

Note if you set up SPF and actually needed SPF then you'd already know the envelope sender domain: it's the domain for which you set up SPF! However, many people set up SPF when they didn't need to, since they're using a shared Marketo instance. In that case the SPF record is meaningless and can't be used to determine the sender domain.

Did the first option and ran the email through Gmail to view the source and send the domain over. its an interesting domain. there is an SJ in it which i'm assuming cause we're in the San Jose data center.

... there is an SJ in it which i'm assuming cause we're in the San Jose...

Correct.

That's the standard (non-branded) envelope sender domain. Ergo, your SPF record is not being used, and as I mentioned looking at the SPF setup in the Marketo UI or in your DNS control panel won't tell you the real domain that needs whitelisting.